back to article NSO Group 'will no longer be responding to inquiries' about misuse of its software

The NSO Group, a purveyor of spyware it hopes governments and law enforcement bodies will use to fight terrorism, has announced it will not answer any further questions about allegations raised by Amnesty International and Forbidden Stories that its products have been widely misused. The company on Wednesday published a …

  1. A random security guy Bronze badge

    There is no evidence it's shut down Pegasus – just its PR department.

    Maybe, the personnel in the PR department have more integrity and the spokespersons are not able to lie with a straight face.

    Or, maybe, their lawyers told them to shut up.

    1. Potemkine! Silver badge
      Devil

      Re: There is no evidence it's shut down Pegasus – just its PR department.

      the personnel in the PR department have more integrity and the spokespersons are not able to lie with a straight face

      ROTFL

      PR people ===> see icon

    2. ST Silver badge
      Devil

      Re: There is no evidence it's shut down Pegasus – just its PR department.

      > the personnel in the PR department have more integrity and the spokespersons are not able to lie with a straight face.

      Ummmmm ... the personnel in any PR department is paid to lie with a straight face. That's their job description. They are known as paid liars.

      Corporate terminology: shaping the message and staying on message.

      It's when the personnel in said PR department suddenly decides to go radio silent, that's when you know the shit has hit the fan.

    3. anothercynic Silver badge

      Re: There is no evidence it's shut down Pegasus – just its PR department.

      I suspect it's the latter. And since NSO Group is Israeli, the chances are that a certain institute in Tel Aviv also told them to kindly stop.

  2. bolac

    This is a strawman.

    The whole issue is not just misuse of software. When you give someone a copy of your software, you have no control where it ends up. But this is not the issue at all here.

    According to Amnesty, NSO operated the servers. NSO had lists of phone numbers for target people. NSO is not just a software manufacturer in this game. NSO is actively participating in the attacks, including the unlawful ones. They cannot just say: «Someone took our software and did an unlawful attack without our knowledge.» NSO was basically performing the unlawful attack themselves.

    1. bolac

      Re: This is a strawman.

      Another interesting question: How about terms of service? They used Amazon servers, fake Apple IDs, etc. It would be funny if Apple could sue them to never touch any iPhone again.

      1. Sam Therapy
        WTF?

        Re: This is a strawman.

        It would be nothing short of a miracle if a US based company could make that stick internationally.

        1. bolac

          Re: This is a strawman.

          They cannot catch them, but it would be punishment enough if NSO associates had an international warrant on them, not being able to travel anywhere without fear of arrest.

          1. cosmodrome

            Re: This is a strawman.

            I've got the feeling that it's rather the critics of NSO to find themselves on search lists than their employees. Which still beats finding yourself on a rendes-vouz with a bone saw.

          2. Anonymous Coward
            Anonymous Coward

            Re: This is a strawman.

            it would be punishment enough if NSO associates had an international warrant on them, not being able to travel anywhere without fear of arrest.

            Let's not encourage the US to unilaterally decide what someone can do when they're not anywhere near the US, shall we? If an international court (read: a court that acknowledges that other countires exist and have a degree of sovereignty) decided that these people should be on a ban list, fine, I'm game, but letting the US decide on its own what happens outside their borders is a very bad idea.

    2. Mike 137 Silver badge

      The fundamental problem

      Underlying all the immediately apparent problems is the basic one that commercial interests are deeply involved in the provision and use of surveillance technologies. Profits demand wide use, and that incentive can easily result in further blunting of already questionable ethics.

      The same mechanism is effectively universal in antisocial media, where offensive or illegal posts are left in place until a threshold of embarrassment to the service is crossed, because, regardless of protestations, they attract hits.

      1. HildyJ Silver badge
        Big Brother

        Re: The fundamental problem

        You are correct that NSO, while it may have originated as an Israeli government surveillance tool, is now in it for the money. Their products are popular and they operate exactly as intended.

        Appealing to ethics or embarrassment is hopeless. They have none of the former and are incapable of the latter.

        The statement is basically a big F U.

    3. Gordon 10 Silver badge

      SWaaS

      The key lesson here. Just because you can offer SWaaS. (SpyWare as a Service) doesn't mean you should. I bet this all started with some suit ordering their techies to do it over their objections.

      Sometimes arm's length is best. Seldom do arms dealers hang around near a war zone. NSO should take a lesson from them.

      1. doublelayer Silver badge

        Re: SWaaS

        "I bet this all started with some suit ordering their techies to do it over their objections."

        I don't think so. Technical people have the option not to do this, and they especially have the option not to do this well. To get a successful set of exploits and use them to this effect, it wouldn't appear they have technical people doing this under duress. I would be comfortable assigning guilt to any programmer on their software and I wouldn't be so quick to assume the blame only resides with a subset of those who know what's happening and do it gladly.

    4. Charlie Clark Silver badge

      Re: This is a strawman.

      The Israeli "spy services" sector provides a very useful function for the US military, which largely funds it through "defence support" funding. By providing a layer of plausible deniability it allows the three-lettered lot to engage in the kind of activities expressly forbidden by the US constitution, such as the warrant-less surveillance of US citizens (the rest of the world is fair game).

      There are similar arrangements for medical research because, here too, the US constitution forbids clandestine medical experiments on US citizens, even the non-white ones!

      1. veti Silver badge

        Re: This is a strawman.

        "... nor to deny to any person within its jurisdiction the equal protection of the laws."

        If it can be done to anyone within the USA, then citizenship makes no difference. Don't kid yourself. For laws to discriminate in favour of citizens is unconstitutional in itself.

    5. oiseau Silver badge
      WTF?

      Re: This is a strawman.

      According to Amnesty, NSO operated the servers.

      And (of course, just what were you thinking?) AWS did not know or have any inkling as to what was going on.

      Right?

      O.

      1. doublelayer Silver badge

        Re: This is a strawman.

        Yes, that is what I assume. AWS has a lot of rented servers. It would be hard for them to know what each one is being used for. They identified some as being connected to NSO, but we don't even know if they got that from the account details or were just told of the service IDs. Either way, it wouldn't be hard for NSO to come back with a fake name and do it all again.

      2. Richocet

        Re: This is a strawman.

        Bezos alibi: I was in space at the time. I couldn't have done it.

  3. jgarbo
    Black Helicopters

    NSA swats cheeky NSO?

    Word is that NSO got cheeky, stealing customers/victims from traditional spy services. So Amnesty (CIA controlled) leaked NSO capers to keep NSA king of the hill. The Israelis must kow-tow to the master, not compete.

    1. Anhydrous Cummerbund
      Coffee/keyboard

      Re: NSA swats cheeky NSO?

      The above comment is:

      [ ] Sarcasm

      [ ] Troll

      [ ] Delusional

      Vote now :-)

  4. Anonymous Coward
    Anonymous Coward

    imperva.com fake certificate?

    Can someone shed some light on this?

    So, from here in Thailand to Shanghai using trace route:

    tracert english.sse.com.cn (222.73.229.73) (Shanghai stock exchange on China Telecom, located in Shanghai)

    > 30 hops, from TripleT (Thai ISP) it heads to Singapore (e.g. 203.208.172.234 Singtel etc.)

    Then to Zayo in the USA zayo.china-telecom.mpr1.lax12.us.zip.zayo.com [64.125.15.95]

    Then to 61.152.25.125 (China Telecom in Shanghai) 24 hops 411ms!

    Takes more than 30 hops and times out.

    So now lets trace the route to 61.162.25.125... that midpoint server located in Shanghai

    tracert 61.162.25.125

    This time it routes from Thailand to Hong Kong via 203.100.48.185 HongKong

    Arrives at 61.152.25.125 in 229ms, a lot faster, 15 hops vs 24 hops.....

    OK, so there's an intercept on queries to the Shanghai stock exchange, that reroutes data from Thailand to the USA via Singapore.

    If I trace a route to a China Telecom local server I saw in the tracepath on one run, it takes a much shorter path, twice as fast via HongKong.

    It strikes me that this is a https connection, and should be secure. So what would be gained by intercepting this unless the certificate is also intercepted?

    So lets go look at the certificate... holy fook, it covers like a gazillion domains, was issued to imperva.com Issued by GlobalSign nv-sa in Belgium

    Including iplocation ones, and a load of Israeli ones too.

    https://www.iplocation.net/ip-lookup

    Care to explain GlobalSign?

    1. Anonymous Coward
      Anonymous Coward

      Re: imperva.com fake certificate?

      All your data are belong to US.

      So it was, so it is, so it will always be.

    2. Anonymous Coward
      Anonymous Coward

      Re: imperva.com fake certificate?

      Nice trace :)

      I tend to enable AS numbers in such traces because that shows where traffic transits from one managed environment to the next.

      I would like to know how I can examine the certificates used for setting up SSL for SMTP and IMAP - any idea how? Main aim is to compare them between ISPs.

    3. Anonymous Coward
      Anonymous Coward

      Re: imperva.com fake certificate?

      Can someone shed some light on this?

      [snip]

      Then to 61.152.25.125 (China Telecom in Shanghai) 24 hops 411ms!

      [snip]

      So now lets trace the route to 61.162.25.125... that midpoint server located in Shanghai

      tracert 61.162.25.125

      This time it routes from Thailand to Hong Kong via 203.100.48.185 HongKong

      Arrives at 61.152.25.125 in 229ms, a lot faster, 15 hops vs 24 hops.....

    4. Anonymous Coward
      Anonymous Coward

      Re: imperva.com fake certificate?

      The GlobalSign nv-sa cert has been disabled on all my devices that will let me for years because of similar concerns.

      (IOS needs to offer that option like Android does)

    5. reGOTCHA

      Re: imperva.com fake certificate?

      imperva[.]com is one of those companies offering protection against DOS attacks. Your traffic goes to them to be checked for 'legitimacy' and then goes to the destination. They have powerful machines receiving the traffic of all their clients and only the traffic deemed benign passes through. This explains why so many domains under one certificate. They probably have many certificates with many more domains in them, it's not so obvious who their clients are based on one certificate.

      The good thing about certificates is that they are not magical and they don't appear and disappear without leaving a trace.

      This trace would be visible in some Certificate Transparency logs. Google, Cloudflare, Facebook, and many other certificate issuers monitor the issuing of certificates so it's damn hard to just issue a certificate linked all the way up to a root CA for a domain you don't own without getting noticed.

      For example, the 123-flowers[.]co[.]uk domain mentioned in the globalsign/imperva certificate, a bit down on the cert details page you can see in the "Embedded SCTs" section that this cert in particular was included in 3 transparency logs - Google “Xenon2021”, Cloudflare “Nimbus2021” and Sectigo (Comodo) “Sabre” CT.

      I searched a few of these logs and no certificate was ever issued by globalsign to the sse[.]com[.]cn domain or any of subdomains...

      It was probably a small mistake in your research that yielded those suspicious results.

      Another good thing about certificates and certificate transparency logs is that you get to know a lot of subdomains - even the ones not for general public - for research and academic purposes ofc.

      Regarding trace routing changing routes - that's just dynamic routing and traffic shaping working. Two tracert from the same place can have different routes and nothing guarantees you that your web traffic will have the same route as these two, also because you're using different protocols.

    6. Clausewitz 4.0
      Devil

      Re: imperva.com fake certificate?

      If you didn't knew before, there is no such a thing as HTTPS-protected for capable parties.

      Also, OpenVPN-grade encryption is child's game.

  5. Sitaram Chamarty

    I wish...

    the NSO chief and/or senior officers had attractive twitter handles.

  6. amanfromMars 1 Silver badge

    Nowhere good to run, nowhere smart to hide leaves one naked and exposed to more than just ridicule.

    NSO is announcing it will no longer be responding to media inquiries on this matter and it will not play along with the vicious and slanderous campaign.

    It has been said before, but it is always well worth repeating, and especially so with particular and peculiar regard to neglectful and disrespectful NSO Group firmware? .....

    How very wise. If one doesn't open one's mouth one cannot put one's feet in it. But that in itself reveals all that one would really need to know ...... such as there being no viable defence against outrageous suggestions and/or valid accusations ‽ .

    1. Charles 9 Silver badge

      Re: Nowhere good to run, nowhere smart to hide...

      Or, IOW, what good is keeping your mouth shut if you're already being panned as a total idiot or worse?

      1. Anonymous Coward
        Anonymous Coward

        Re: Nowhere good to run, nowhere smart to hide...

        If you're already in a hole, you best avoid excavating..

        1. Charles 9 Silver badge

          Re: Nowhere good to run, nowhere smart to hide...

          Everyone assumes when one has a shovel, one always digs down. Whatever happened to digging along...or even at an upward angle and thus getting yourself out?

          1. Anonymous Coward
            Anonymous Coward

            Re: Nowhere good to run, nowhere smart to hide...

            A shovel ?!? Hah! Luxury!

            :)

  7. Anonymous Coward
    Anonymous Coward

    Oooo look, magically fixed!

    On that GlobalSign certificate, the one with a bunch of domains listed, seemingly unrelated, that popped up when I went to look at the cert for Shanghai stock exchange. The plot thickens:

    Curious the domains listed don't include sse.com.cn or anything like it.

    Cert 09:EF:78:B3:0E:BA:08:05:6D:E4:94:22:93:E9:D3:CF:CE:D7:FA:86

    Auth Key id 42:6D:57:2D:4F:1F:26:77:74:A6:27:64:F6:80:FA:8F:48:68:FE:7C

    https://english.sse.com.cn/

    "Forbidden...." no longer gives me an encrypted link let alone to imperva.com

    http://english.sse.com.cn/

    Fast and responsive now. Now it defaults to this NON-encrypted site now.

    Likewise the tracert for 222.73.229.73 now goes via 116.51.17.189 in Singapore and direct to China Telecom..... 24 hops decent speed now.

    Q1. How is it that I get a cert for Imperva.com when I clicked to view the firefox cert for the Shanghai stock exchange, yet the domain isn't listed anywhere as an alias in that cert? How would that work? How would it get verified by GlobalSign???

    Q2. I see it has magically fixed itself!

    Now Shanghai stock exchange website no longer claims to be encrypted! And certainly not with some magical catch all cert! Is this the same for others?

    Q3. Is that how the route was forced? Return it as if it was encrypted, wrap the connection in TLS as imperva.com and route it yourselves? But then how did you inject the redirect to encrypted? The router perhaps (Cisco), a firefox exploit? PC exploit? Some sort of packet injection?

    Q4. How do I remove built in certificate authorities I don't trust? GlobalSign Belgium gave this cert out, and yet when I go to each site, I find their domain is slightly different and the cert provided by someone else. So I want to remove GlobalSign from the approved certificate authorities on Firefox.

    e.g.

    123-flowers.co.uk main domain is their www subdomain, www.123-flowers.co.uk and the cert if from Cloudflare not GlobalSign.

    kitkat.com.au is KitKat Australia, their domains is the www subdomain, www.kitkat.com.au and the cert is from LetsEncrypt, not Global Sign.

    *.iplocation.net still shows as this magic cert.

    hays.com.sg, redirects to www.hays.com.sg and the cert is from DigiCert not GlobalSign

    So you can see how I'd want to remove Global Sign from the list of trusted certificate authority. How do I do it?

    1. Down not across Silver badge

      Re: Oooo look, magically fixed!

      So you can see how I'd want to remove Global Sign from the list of trusted certificate authority. How do I do it?

      I think you mentioned you were using FF so something like this:

      - Options->Privacy ~& Security

      - Scroll down to certificates

      - Click "View Certificates"

      - Fine the one you want and click "Delete or Distrust"

      1. Anonymous Coward
        Anonymous Coward

        Re: Oooo look, magically fixed!

        You'll want to distrust the cert because it will just come back if you delete

  8. PassiveSmoking
    Joke

    Deny Everything!

    "Are you private S. Baldric?"

    "NO!"

    "... but you are Captain Blackadder's batman"

    "NO!"

    "Come on Baldric, can't you be a bit more helpful? It's me"

    "NO IT ISN'T!"

  9. lostinspace

    I'm lost, how is this NSO software/service any different to "normal" criminal malware or hacking? Why aren't these people being arrested and prosecuted?

    1. Yet Another Anonymous coward Silver badge

      They sold software that other people, mostly government agencies, used to spy on people.

      What are they guilty of that any other government contractor isn't ?

    2. Androgynous Cupboard Silver badge

      Lots of reasons.

      First, NSO sell the software, they don't do the hacking themselves (as I understand it).

      Second, NSO in Israel, not where the crime (some variation of unlawful access to a device) is committed.

      Third, it's likely that most of the time the government security services are the ones that purchased the software - they don't tend to get prosecuted, not even in high-functioning democracies

      Fourth - and I've been struggling a bit with this - is that although Amnesty and Forbidden Stories were given a list of 50,000 phone numbers, I think that's pretty much it. So Forbidden Stories check a few of the phones they can access - easy, as plenty of journos were on the list - find Pegasus, and make the reasonable assumption that 1+1=2. They did that on some 67 phones I believe.

      But some of the higher profile targets that have been in the press - Macron, Rahul Gandhi etc - are there because their numbers are on the list. But without a forensic examination of the phone there's no way of knowing if their phones were actuallly hacked, and I have to confess I'm struggling to join some of the dots to the conclusions being made in the papers: "Macron phone hacked by Morocco" is a long way from "Macrons number found on a list of phones, some of which are provably targetted by Pegasus, and Morocco the most likely suspects".

      That said, I've only just found the technical analysis at https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/, so haven't read it yet. Maybe the links are stronger than I've understood.

      EDIT: why not check your own phone? too?

      1. Androgynous Cupboard Silver badge

        Re: Lots of reasons.

        To follow myself up, one of the more interesting quotes from that article:

        Several iPhones Amnesty International has inspected indicate that Pegasus has recently started to manipulate system databases and records on infected devices to hide its traces and and impede the research efforts of Amnesty International and other investigators.

        i.e. NSO are using their ill-gained root access on your phone to clear up any evidence they were there. So the kind of hard proof required for any prosecution, even if one were being considered, is being removed. They're in full-on damage limitation mode, for sure.

    3. Andy The Hat Silver badge

      Do you understand nothing?

      The State is good and wants to be good so badly that they buy bad systems off a good company that provides bad software, thus allowing the good people to check up on the good (and bad) people which makes it a good thing.

      Whereas, if it was a bunch of bad people, they don't give a monkey's about being good so they would buy bad systems off a bad company who provides bad software, thus allowing the bad people to check up on the good (and bad) people which makes it a bad thing.

      Obviously.

  10. JWLong Bronze badge

    Pegasus

    ......is the poster child for disposable flip phones.

    Use it a couple of times and toss it in the road.

    1. Anonymous Coward
      Anonymous Coward

      Re: Pegasus

      That's all the argument I need to get a few Motorola v3i again - IMHO the nicest flip ever made (at least the later versions with matte keyboard).

      I wish someone would make a smartphone with that exact form factor, and still a replaceable battery (because I suspect it's too small to hold enough juice for a day) - I'd buy a box of them. The only problem: it would be really hard for me to dispose of one like that :)

    2. HAL-9000
      Big Brother

      Re: Pegasus

      I think your advice mainly applies to dissidents and journalists who do good work holding rogue states to account. Everyone else is probably not on the radar, but I get your point and it'll probably be the default for these people in the future.

  11. Claptrap314 Silver badge

    NSO is a weapons manufacturer

    The law needs to require them to behave just like Raytheon or any of the others.

    1. Yet Another Anonymous coward Silver badge

      Re: NSO is a weapons manufacturer

      You mean bribe fund via a bunch of deniable PACs, politicians to start wars and then give directorships to the DoD officials that negotiated the prices for their weapons?

      While claiming anybody that objects to the "Ninja 2000 InstaKill child-seeking cluster bomb" is a no good commie hippie peacenik

  12. Anonymous Coward
    Anonymous Coward

    "Enough is Enough"

    couldn't happen to nicer people.

    btw, "Enough is Enough" - is that a new, creative, PR on how to make the stink dissipate? Other PR departments worldwide watch carefully: if this works, we'll have a n new 'approved!' tactic at our disposal. Hopefully our paymasters do not realize too quickly that, as we do nothing, they should perhaps pay us - nothing..

  13. Anonymous Coward
    Anonymous Coward

    Doubletalk

    First NSO claims it has no control over Pegasus or how it's used but then turns around and claims it knows for a fact that it wasn't used on the victims mentioned.

    If NSO DOES know who is being targeted than they should be held accountable as giving aid to terrorists and if the DON'T have any idea who is being targeted than there should be criminal liability.

  14. steviebuk Silver badge

    The same governments

    Moaning are the ones that want to end or a backdoor to end to end encryption, claiming it will only be used by "law enforcement" ignoring the fact, just like this issue, it will be abused.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021